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1 . (Currently Amended) In a computer network, a method for 
maintaining an acceptable use policy comprising: 

receiving input from a user selecting a subject matter category for use in 
monitoring network communications; 

monitoring TCP/IP network communications; 

storing raw TCP/IP session data of said TCP/IP network communications 
on disk, even when the communication does not conform to a known protocol; 

testing the stored communications for the presence of at least one 
preselected criterion, wherein the preselected criterion is defined by a user, is 
assoc i at e d with th e us e r s ele ct e d sub ie ct matt e r cat e gory, and comprises two or 
more subject matter categories each comprising regular expressions, with a first 
portion of said regular expressions assigned weights with negative values and a 
second portion of said regular expressions assigned weights with positive values, 
c ompr ises on e or mor e r e gu l ar e xpr e ssion s, wherein the raw TCP/IP session 
data including all TCP control and payload data is tested for the presence of the 
at least one preselected criterion and wherein said testing first tests the stored 
communications for the presence of the negative valued regular expressions ; 

maintaining a sum of values associated with said regular expressions 
found within at least one subiect matter categon/ as each regular expression is 
found by said testing by adding the value of the found regular expression to the 
sum of values : 

deleting the communications if the presence of said at least one 
preselected criterion is not determined; and 

storing the communications and halting the testing and maintaining if the 
sum of values associated with said regular expressions within a categon/ meets 
or exceeds a positive threshold value selected based on user input. tf4he 
pr e s e nc e of sa i d at le a s t on e pr e s ele ct e d cr i t e rion i s d e t e rm i n e d, 

wh e r ei n th e pr e s ele ct e d cr i t e r i on compr i s e s two or mor e subj e ct matt e r 
cat e gor ie s; 

wh e r e in sa i d subj e ct matt e r cat e gor ie s compr i s e r e gular e xpr e ssions; 

wh e r ei n a fir s t portion of s a i d r e gu l ar e xpr e ss i ons ar e ass i gn e d w ei ghts 
w i th n e gat i v e va l u e s and a s e cond portion of s a i d r e gu l ar e xpr e ss i ons ar e 
ass i gn e d w ei ghts w i th pos i t i v e va l u e s; and 
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wh e r ei n r e gu la r e xpr e ssions w i th i n a subj e ct m a tt e r cat e gory hav i ng a 
n e gat i v e va l u e ar e proc e ss e d b e for e r e gu l ar e xpr e ss i ons having a po si t i v e valu e . 

2-8. (Cancelled) 

9. (Previously Presented) The method of claim 1, further comprising 
prioritizing the order in which regular expressions within a subject matter category 
are tested. 

10. (Previously Presented) The method of claim 9, wherein said 
prioritizing reduces the likelihood of false hits. 

11. (Cancelled). 

12. (Previously Presented) The method of claim 1, wherein the 
computer network is a wide area network. 

13. (Previously Presented) The method of claim 1, wherein the 
computer network is a local area network. 

14. (Previously Presented) The method of claim 1 , wherein the 
presence of the preselected criterion in at least one of said categories comprises 
a match in a plurality of categories. 

15. (Previously Presented) The method of claim 1 , wherein said 
subject matter categories comprise key words. 

16-21. (Cancelled) 

22. (Currently Amended) The method of claim [[21]] 1, wherein the 
threshold value of at least one subject matter category comprises equaling or 
exceeding the threshold value in a plurality of subject matter categories. 

23. (Previously Presented) The method of claim 21 , wherein said 
* threshold values assigned to said subject matter categories are variable. 

24. (Currently Amended) The method of claim [[18]] 1, wherein said 
subject matter categories have a hierarchical relationship. 
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25. (Previously Presented) The method of claim 24, wherein said 
hierarchical relationship comprises defining the threshold value for at least one 
subject matter category as the presence of predetermined expressions in a 
plurality of other subject matter categories. 

26. (Previously Presented) The method of claim 24, wherein said 
hierarchical relationship comprises defining the threshold value for at least one 
subject matter category as matching or exceeding the threshold value assigned 
to a plurality of other subject matter categories. 

27. (Previously Presented) The method of claim 1 , further comprising 
outputting a report relating to the presence of said at least one preselected 
criterion. 

28. (Previously Presented) The method of claim 27, wherein said 
report identifies individuals whose use of the computer network included 
communications which matched preselected criterion. 

29. (Previously Presented) The method of claim 27, wherein said 
report identifies network addresses where communications were received or 
originated that included matched preselected criterion. 

30. (Currently Amended) The method of claim [[2]] 1, further 
comprising outputting a report relating to the presence of preselected criterion, 
wherein said report identifies the number of matches in a category. 

31. (Previously Presented) The method of claim 30, wherein said 
report is in a graphical format and at least a portion of the stored communications 
is displayed in a user interface in a form matching that generated or viewed 
during the monitored TCP/IP network communications. 

32. (Previously Presented) The method of claim 27, wherein said 
report provides the text of all communications that match said preselected 
criterion. 
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33. (Previously Presented) The method of claim 27, wherein said 
report is in a human readable format and at least a portion of the stored 
communications is provided in the report in a form matching that generated or 
viewed during the monitored TCP/IP network communications. 

34. (Currently Amended) A method for monitoring and maintaining an 
acceptable use policy for computer network usage comprising: 

capturing data on a network, wherein the data comprises multiple half 
sessions of TCP/IP network communications; 

removing data content that does not contain language elements; 

testing the remaining content for the presence of predetermined 
expressions, wherein the predetermined expressions comprise two or more 
categories each containing predetermined expressions that are defined by a user 
and are weighted with positive and negative values, wherein said testing first 
tests the remaining content for the presence of the negative valued 
predetermined expressions ; 

maintaining a sum of values associated with said predetermined 
expressions found within at least one category as each predetermined 
expression is found by said testing by adding the value of the found 
predetermined expression to the sum of values ; and 

storing the remaining data and halting the testing and maintaining if the 
sum of values associated with said predetermined expressions within a category 
meets or exceeds a positive threshold value selected based on user i nput; input. 

wh e r ei n sa i d e xpr e ssions ar e w ei ght e d w i th ei th e r posit i v e or n e gativ e 
va l u e s; 

wh e r ei n th e n e gativ e va l u e d e xpr e ss i ons a r e t e st e d f i rst; and 
wh e r e in th e t e st i ng and th e ma i ntaining ar e ha l t e d and th e stor i ng i s 

p e rform e d wh e n th e sum of va l u e s w i th i n a c a t e gory m ee ts or e xc ee ds th e 

pos i t i v e thr e shold v al u e . 

35. (Previously Presented) The method of claim 34, wherein said 
computer network is a wide area network. 

36. (Previously Presented) The method of claim 34, wherein said 
computer network is a local area network. 
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37-41 (Cancelled). 

42. (Previously Presented ) The method of claim 34, wherein said 
negative and positive valued regular expressions are separately tested in the 
order of largest value to smallest value. 

43. (Cancelled) 

44. (Previously Presented) The method of claim 34, wherein said 
expressions include regular expressions. 

45. (Previously Presented) The method of claim 34, wherein the 
threshold value for at least one category comprises meeting or exceeding the 
threshold value for a plurality of other categories. 

46. (Previously Presented) The method of claim 34, wherein the 
threshold value of at least one category comprises meeting or exceeding the 
threshold value for at least one other category and not meeting or exceeding the 
threshold value for at least another category. 

47. (Previously Presented) The method of claim 35, wherein said 
threshold value for a category is variable. 

48. (Previously Presented) The method of claim 34, further comprising 
outputting a report relating to the presence of predetermined expressions. 

49. (Previously Presented) The method of claim 48, wherein said report 
identifies individuals whose use of the computer network included 
communications which matched predetermined expressions. 

50. (Previously Presented) The method of claim 48, wherein said report 
identifies network addresses where communications were received or onginated 
that included matched predetermined expressions. 

51. (Previously Presented) The method of claim 34, further comprising 
outputting a report relating to the presence of predetermined expressions, 
wherein said report identifies the number of matches in a category. 
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52. (Previously Presented) The method of claim 50, wherein said 
report is In a graphical format and at least a portion of the stored communications 
is displayed in a user interface in a form matching that generated or viewed 
during the monitored TCP/IP network communications. 

53. (Previously Presented) The method of claim 48, wherein said 
report provides the text of all communications that match said predetermined 
expressions. 

54. (Previously Presented) The method of claim 48, wherein said 
report is in a human readable format and at least a portion of the stored 
communications is provided in the report in a form matching that generated or * 
viewed during the monitored TCP/IP network communications. 

55. (Currently Amended) A method for monitoring and maintaining an 
acceptable use policy for computer network usage comprising: 

capturing TCP/IP data on a network; 

removing data content that does not contain language elements and 
storing a remaining content comprising a string of language elements separated 
by spaces without regard to original formatting of the captured TCP/IP data; 

defining categories with weighted predetermined expressions, wherein the 
predetermined expressions are defined by a user and are weighted with positive 
and negative values : 

testing the remaining content for the presence of predetermined 
expressions, wherein said testing first tests the remaining content for the 
presence of the negative valued predetermined expressions : 

maintaining a sum of values associated with said predetermined 
expressions found within each category as each predetermined expression is 
found by said testing by adding the value of the found predetermined expression 
to the sum of values : and 

storing the remaining dat a content and halting the testing and maintaining 
if the sum of values associated with said predetermined expressions present 
within a category exceeds a positive threshold value. 
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56. (Previously Presented) The method of claim 55, wherein said 
remaining data is stored only if the sum of predetermined expressions exceeds 
the threshold value in a plurality of categories. 

57. (Previously Presented) The method of claim 55, wherein the 
threshold value for a category is defined as the presence of no predetermined 
expressions. 

58 (Previously Presented) The method of claim 55, wherein said 
computer network is a wide area network. 

59. (Previously Presented) The method of claim 55, wherein said 
computer network is a local area network. 

60. (Cancelled). 

61 . (Previously Presented) The method of claim 55, further comprising 
outputting a report relating to the presence of predetermined expressions whose 
sum meets or exceeds the threshold value of a category. 

62. (Previously Presented) The method of claim 61 , wherein said report 
identifies individuals whose use of the computer network included 
communications which contained predetermined expressions whose sum 
matched or exceeded the threshold value of at least one category. 

63. (Previously presented) The method of claim 61 , wherein said report 
identifies network addresses where communications were received or originated 
that included predetermined expressions whose sum matched or exceeded the 
threshold value of at least one category. 

64. (Previously Presented) The method of claim 63, wherein said report 
is in a graphical format and at least a portion of the stored communications is 
displayed in a user interface in a form matching that generated or viewed during 
the monitored TCP/IP network communications. 
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65. (Previously Presented) The method of claim 1 wherein at least one 
stored half session comprises a plurality of independent parts, and the testing is 
performed individually on each independent part. 

66. (Previously Presented) The method of claim 65 wherein the 
independent parts comprise individual email messages. 

67. (Previously Presented) The method of claim 65 wherein the 
independent parts comprise message attachments. 

68. (Previously Presented) The method of claim 1 further comprising: 
prior to the testing, attempting to identify a protocol by comparing the 

stored TCP/IP network communications with known protocol patterns, wherein 
when the attempting results in one of the known protocol patterns being 
identified, the testing of the stored communications involves testing of each 
independent part of the stored TCP/IP network communications associated with 
the identified one of the known protocol patterns. 



